Mike Reynolds: Hi, I'm Mike Reynolds, a senior reporter covering the media industry with S&P Global Market Intelligence tech, media and telecom news team. Welcome to "MediaTalk," a podcast hosted by S&P Global, where the news and research staff explore issues in the evolving media landscape. Today, I'm joined by Scott Crawford, research director of the information security channel at S&P Global Market Intelligence's 451 Research. Scott leads the industry analyst team covering innovation, disruption, and strategic players in cybersecurity and cyber risk. Scott, how are you doing today?

Scott Crawford: I'm great, Mike. Thank you for having me.

Reynolds: All right. Also with us today are my colleagues on the TMT news team, Iuri Struta and Stefan Modrich. Iuri follows tech M&A and capital markets, while Stefan covers tech policy from Washington, D.C. Thanks to all of you for joining me today. Iuri, how are you doing?

Iuri Struta: Hey, Mike. I'm doing great. Thanks for having me, and I think this is a timely topic.

Reynolds: And Stefan, what goes on in DC?

Stefan Modrich: Lots to talk about today, Mike. I'm looking forward to it.

Reynolds: All right. Today, our conversation is going to center on the major cybersecurity events that made headlines recently, including the July 19 CrowdStrike outage that left millions of Windows users staring at a blue screen of death and lead to plane delays, failed payments and media disruptions, among other things. We'll also cover the failed romance between Google and Wiz, and the wave of consolidation that is nevertheless expected in the cloud security market. A lot of ground to cover, so let's get at it. Scott, can you start us off by explaining what happened with the CrowdStrike outage?

Crawford: Sure, Mike. What happened was that CrowdStrike, which our listeners may or may not be familiar with the name, they are a cybersecurity technology vendor whose focus is on endpoint threat detection and response primarily, but that's not the only area they play in. Generally, they participate in markets around cyber threat detection and response. They do have an endpoint agent that's deployed on a lot of systems around the world, and in this case, the Windows endpoint agent was at issue here, their Falcon host agent. What happens that is when CrowdStrike recognizes a new threat or wants to push new ways to recognize, identify threats and put out mitigations against them, they will push updates to their endpoint agents. These updates take various forms. One of them is what they refer to as a rapid response functionality, and there was a rapid response functionality content update that was pushed to the CrowdStrike agents late US time on Thursday night overnight, and it caused a problem in the way that it was handled by Windows systems. This functionality works at a very low level of Windows systems, and to protect itself when there are issues or problems, the Windows system will protect itself by shutting down any attempt to interfere or potentially corrupt the functioning of the Windows system at that very low level — the level of the operating system kernel in this case, which is not uncommon among cybersecurity technology.

Reynolds: But that's what I was going to say. I mean, fortunately, the shutdowns are few and far between, but these updates, these patches, this happens all the time, Scott?

Crawford: It does. Part of the reason for this functionality at this very low level is that you're trying to get visibility into, and hopefully preventive control over, actions of adversaries and threat actors who also seek to achieve a very high level of control over their target systems. So this level of visibility is, at this time, at least anyway, necessary in most systems to achieve that kind of protection and response. So yes, these updates happen frequently. In fact, CrowdStrike moves these out to its endpoint agents on a very frequent basis, as do a lot of their competitors with their own functionalities as well. So yeah, this is not at all uncommon.

Reynolds: Iuri, what was the fallout from the outage on the Street? What happened on the Wall Street side?

Struta: Yeah, going into the incident, CrowdStrike was a Wall Street darling, so the company was trading at some of the highest valuation multiples, not only in the cybersecurity space but also in the entire software space of companies above the $1 billion market cap. So the stock fell about 11% on Friday when the incident happened, and a lot of the sell-side analysts were coming up with bullish notes saying it's an opportunity to buy a great name on the cheap, but the view somewhat changed a bit as analysts assessed the damage that was done and the CrowdStrike client reaction. So now I think CrowdStrike will probably have a hard time upselling in the coming quarters. So growth is likely to decelerate and, at worst, they're facing legal challenges and will have to offer steep discounts to customers to win them back. And I'm not sure if $10 Uber Eats vouchers helped or actually made customers even more infuriated.

Reynolds: It's a big ouch then for the outage.

Struta: Yes.

Reynolds: Stefan, what was the word from Washington, D.C. about the outage? I know several federal agencies had their own sites and operations go down.

Modrich: Yeah, Mike, it was really a mixed bag in terms of the effect across the board at the federal level. There are a few agencies, namely the FAA, which in contrast to, of course, several high-profile airlines that had flights grounded, the FAA said it itself had few, if any, issues with its operations. It actually said that they were not impacted by the global IT issue. Then others like the Department of Education had some issues that they were troubleshooting. So all in all, the consensus was that there was not necessarily a critical failure on the federal agencies. Now, looking at the response on the congressional side, in my outreach to a congressional aide, I learned that the House Online Security Committee is looking to bring CrowdStrike CEO George Kurtz in to testify after the August recess sometime in early September. So that's what we're looking at. And a CrowdStrike spokesperson confirmed that with me as well, that they're in touch with the relevant congressional committee.

Reynolds: That one's going to get a lot of attention from a lot of different quarters for sure. Iuri and Scott, are there any comparable outages from the past? What happened in the wake of those? Iuri, maybe you can get us started there.

Struta: Yeah, so I think an outage large enough to matter, and I did some research on this, was way back in 2010 by McAfee and that incident was still much smaller than this one. So McAfee also issued a bad update that affected millions of customers, and the impact on the company was pretty limited. Back then, McAfee said during that quarter that it lost about $15 million in revenue, largely due to rebates that it was forced to offer customers to win them back. But an interesting thing is that McAfee was sold later that year to Intel and it is unclear if that was due to the incident or if there was something else at play there. And McAfee is still a company that is still going strong. It was sold to private equity in 2021. But I think, and probably Scott has more on this, the difference between that incident and this one is that CrowdStrike is much more integrated into the global IT systems, and the world is much more digitalized now.

Reynolds: Scott, is he right?

Crawford: Yeah, I would add that technology, cybersecurity technology has evolved during that time as well, too, and now CrowdStrike is in a space where they're doing a lot more immediate detection of cyber threats on the systems where they're deployed. So the nature of the technology itself is much more acute detection, certainly more timely. The response times are quite good compared to a lot of approaches we had in technology in the past, and that has a lot to do with the widespread deployment. There's a couple of things to consider, though, about the impact on a company like CrowdStrike, which is one of the largest in terms of revenue, at least anyway, companies in the cybersecurity landscape. One of them is that there's a lot of competitors to CrowdStrike that have much the same functionality when it comes to interacting with their target hosts. Even if organizations were to change to a different provider, they'd have to ask themselves a question: How is this markedly different from exposing us to the type of issue that we saw with CrowdStrike in the previous week? That probably will mitigate in CrowdStrike's favor as far as potential for displacement or lost customers. Their being proactive about their response over the course of the last week has also been, frankly, in my opinion, a good sign for them because we've had a lot of cybersecurity incidents over many years, and in many cases, those affected have not been very forthcoming at all about the impact on their organization, their customers, their stakeholders. So, CrowdStrike being very transparent, really needs to be in order to retain the confidence of so many customers. So, there's a few things that mitigate in its favor going forward, and they're not the only ones affected by this. This had to do with the way that Microsoft responded to these cases as well, too. Microsoft — how it builds better anti-fragility measures, if you will, into protecting Windows systems — will probably be a factor for it going forward, and it's been under some federal scrutiny as well over the course of the last year. These larger companies seem to be fairly resilient to a lot of these issues, and we'll just have to see what unfolds from here about the future of all involved.

Reynolds: Iuri, do you think there's going to be a lot of activity in terms of the cyber market? Maybe it becomes more diversified? What puts and takes potentially could lie ahead?

Struta: Yeah, so I think cybersecurity M&A, the consolidation in the space, has remained strong in recent years compared to the overall tech market. And I think there are two reasons for that: Organizations are increasing their spending on cybersecurity. It remains one of the top spending categories according to 451 Research surveys. And second, unlike in other tech spaces, tech sectors, you have a larger universe of potential buyers, and this creates competition and leads to higher multiples. And so, who are these buyers? You have basically financial sponsors like private equity firms that have historically been very interested in cybersecurity. Thoma Bravo, KKR, and Permira all have built strong cybersecurity portfolios over the years. You have cybersecurity companies themselves that are buying. If you look at CrowdStrike itself, they are looking to diversify away from endpoint security, which is their bread and butter. They want to move into cloud security and network security as well, and they're doing that via acquisitions. And the third category of buyers in the cybersecurity space are large enterprise hardware and software vendors and cloud providers like the IBMs, the Googles, Microsoft, and Cisco, these kind of companies. And they're basically looking to boost their existing offerings with some cybersecurity add-ons, and for them, it's always a nice add-on and it has upsell potential.

Reynolds: Let's change gears a little bit and talk about a deal that almost was, but then didn't happen. Multiple press outlets reported that last month Google was in advanced talks to buy the Israeli cloud security startup Wiz for a paltry $23 billion. What's that among would-be friends? I think that amount was about twice its $12 billion valuation had it gone through, and if I'm not mistaken here — Scott, you can tell me if I'm wrong — it would have been the largest cybersecurity transaction in the 451 Research M&A knowledge base, and almost twice the previous record holder. Stefan, why did Google want Wiz and what happened?

Modrich: Sure. There were a lot of things from Google's side that made Wiz a very attractive acquisition target. The first being Wiz's versatility and its architecture that, as Scott can go into greater detail, makes it much more adaptable and easy to deploy. From Google's perspective, they have lagged behind Amazon Web Services and Microsoft Azure in terms of its cloud product and its offerings there, and it seemed like a glaring hole in their cybersecurity offerings and infrastructure.

Reynolds: And then Wiz going back to an old movie essentially wanted to walk on down the road by its own IPO in the offing?

Modrich: Yeah, so the IPO is definitely in the forecast for Wiz and it likely will not be affected by the presidential election because if it does happen, it will likely not be finalized until 2026, and the position that Wiz finds itself in after walking away from this deal is much stronger arguably than where it began when it first received that offer. And so that tells you a lot about the confidence that its leaders have in its ability to continue to grow this company and deliver its product, and that's consistent with what I've heard from M&A advisors and lawyers in the course of reporting on this deal.

Reynolds: Scott, why is there so much interest in the cloud security space at the moment?

Crawford: It is increasingly the venue of IT for organizations, large and small. Small organizations have historically been able to just pony up a credit card and put together an IT stack on a cloud provider's infrastructure with relatively little overhead. Now that's grossly oversimplified, but the idea is that not hosting your own infrastructure and not having to be responsible for a lot of the burdens of that maintenance is a real benefit to smaller organizations, whereas large enterprises, same story, but you're dealing with someone for whom all that is a profit center. It's a cost center for the typical enterprise. And so working with a provider that specializes in availability, performance, highly resilient, highly elastic resources that compute available on demand, pay for what you need. All of those are key advantages of the cloud, and with it come concerns about security and risk to the extent that cloud security is the No. 1 top pain point for 2024 in the surveys we conduct of security practitioners here at 451 Research. So yeah, you mentioned that Wiz at $23 billion would have been the largest cybersecurity deal. It comes close to rivaling the Splunk Inc. deal, which is roughly, according to the 451 Research M&A knowledge base, $26 billion. I believe that's enterprise value, but Splunk isn't exclusively security. A good deal of its business is for sure in the security market around security operations, technology, log management, raising events and alerting, handling response processes. But that's not all it does. It's also heavily involved in IT observability and markets related to those themes. But when it comes to primarily security as the playing field, then yes, Wiz would have been the largest, I think you could probably say, pure-play deal in cybersecurity we would have seen. And yeah, they walked. According to reports after the news came out that they'd walked from the Google deal, they had announced their intention to achieve $1 billion in annually recurring revenue with an IPO in view. So that says a lot about the confidence they've had, also the track record of their growth up to this point. Yeah, interesting story.

Reynolds: All right. You already touched on it before. A lot of interest in the space. Your sensibilities for, will there be a lot of action in terms of M&A in cybersecurity over the balance of this year into next?

Struta: Yeah. I think there is going to be a lot of interest, at least whether we are going to have deals actually that go to the finish line remains to be seen because there is a lot of sensibility and, as Stefan mentioned, regulatory pressures on big tech not to do a lot of deals. And most of it, deals by big tech don't get to the finish line mostly because there is so much uncertainty. And if you look at, for example, a startup like Wiz, they're growing very fast. And if you get into a two-year regulatory quagmire, then obviously this hits employee morale and you cannot work. And if the deal is not approved in two years, your business might be further behind. So I think as a result, it's hard to see whether you're going to have a lot of big deals unless the regulatory environment changes.

Reynolds: All right, fellows, we're getting to the end here. Scott, in the wake of the Google-Wiz situation, big winners and losers here?

Crawford: I think Wiz certainly sees itself as both to some extent. It takes a lot of moxie to walk away from a deal of that scale, but given their confidence in execution, both up to this point and what they're anticipating going forward, they clearly feel very confident about their prospects. They will be unencumbered, not only by going through the process of M&A but also the regulatory hurdles that would have had to have been cleared. Regulators have been very interested in Google, as Stefan was indicating earlier. And so that's one thing that doesn't tie their business up during the course of this. They're free to execute as they have up to this point. But it's done a lot, it's made a statement about their value for sure. It's made a statement about direct competitors' value in that same space. We do see a lot of cybersecurity vendors, some of the major vendors, looking to reach into the cloud security space to augment their portfolios. So it's all good really for that space. The challenge for those adopting will be, can they actually make use of these tools? Are they complex enough? Are they too complex? Are they delivering the value needed? And a lot of segments in the space.

Reynolds: All right, guys, last question for each of you. What is the one thing you're watching for in the cybersecurity space for the balance of the year? Lightning continues to strike, CrowdStrike market share shifts ahead. Stefan, can you go first?

Modrich: Yeah, to underscore the point about the regulatory challenges, that is going to continue to be an issue, and it will likely be a bipartisan concern going forward. So again, regardless of what happens with the presidential election in 2024, there is likely to be increased scrutiny, not just on Google, of course, but within their competitors and AWS and Microsoft. But don't count Google out in this regard either; definitely keep them in mind as that need still remains for them in terms of finding that kind of complementary piece on the cybersecurity side. So I'll definitely be looking out for potential acquisition targets on the Google side. And then, of course, monitoring Wiz's progress toward an IPO or potentially some other acquisitions that they could make to continue to grow their own business internally.

Reynolds: Iuri, what are your thoughts?

Struta: Yeah, so I'll definitely be looking for the impact on CrowdStrike earnings in the coming quarters. It will be very interesting to watch, and we should probably have some more details in September when they're having their first earnings after the outage. But also CrowdStrike competitors like SentinelOne Inc. and Palo Alto Networks Inc. to see signs of whether there is some impact on their earnings. All three companies have been posting double-digit growth rates, and it would be interesting to see how this incident translates to the bottom lines of these companies.

Reynolds: Scott, last word to you. Does the growth get halted now in the wake of what happened?

Crawford: I'd be skeptical, to tell you the truth, just because there has been so much demand and CrowdStrike has executed well up to this point for its customers. If this is an operational issue, I think there are ways to deal with that, learn from it moving forward. The specter of concern would probably remain over just how much this sort of thing is a potential future incident as well. So the industry and players like CrowdStrike, Palo Alto, all of those Iuri mentioned, will have to address that pretty directly in order to maintain confidence in this market going forward, but there's a counterweight to a lot of these vendors advocating their own platform for cybersecurity technology. This is likely to make some organizations rethink: should we be looking at a wider collection of tools that are perhaps best of breed in these areas? There has been some momentum as far as technologies coming to market, such as data fabrics, the data processing pipelines that connect components of the cybersecurity operations technology stack. Those, I think, will be getting more of a hearing in the wake of this. So we'll have to see how that balance between platforms versus decoupled, integrated third-party solutions in organizations, what kind of shape that takes going forward as well.

Reynolds: That concludes this episode of "MediaTalk." I just wanted to thank 451 Research's Scott Crawford, and my colleagues at S&P Market Intelligence, Iuri and Stefan, for talking about the world of cybersecurity.

Crawford: Thank you, Mike. Enjoyed it.

Struta: Thanks, Mike.

Modrich: Thanks, Mike.

Reynolds: This is Mike Reynolds. Thanks to all of you for listening. We'll catch up soon on the next edition of "MediaTalk."